AAD Sync errors 8344 on export for a small number of accounts

Spencer Guest 21 Reputation points
2024-05-21T09:42:43.29+00:00

Good morning hive mind!

I am struggling to find what is causing error 8344 on just 8 accounts on Export sync with AAD, getting error 8344 "Insufficient access rights to perform the operation"

we have enabled inheritance on the MSOL account, and have checked permissions are set for reset/change password. But still getting these errors.

Any ideas would be helpful please!

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,959 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,137 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Michael Smith-MSFT 2,831 Reputation points Microsoft Employee
    2024-05-22T08:02:12.4733333+00:00

    Hi @Spencer Guest ,

    Thank you for reaching out to the Q&A community.

    This permission error can happen when the syncing users with pre-existing administrative accounts.

    Check if the users have admin count 1 in their attributes.

    User's image

    Its possible to configure the permission but its strongly recommended to Not sync users with on premises admin accounts.

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

    On-prem admins should be dedicated accounts for administration with no applications access. You want the Azure AD admins to be cloud only accounts: https://learn.microsoft.com/en-us/azure/active-directory/roles/security-planning#ensure-separate-user-accounts-and-mail-forwarding-for-global-administrator-accounts

    I hope this helps to resolve your query. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments